pomerium · calebdoxsey · Dec 19, 2025 · Dec 17, 2025 · Dec 19, 2025
@@ -1,12 +1,12 @@
-name: Update Pomerium
+name: Update Dependencies
 
 on:
   schedule:
     - cron: "40 1 * * *"
   workflow_dispatch:
 
 jobs:
-  update:
+  update-dependencies:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -15,28 +15,35 @@ jobs:
           submodules: "true"
           token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}
 
-      - name: Update Pomerium
-        run: make update-pomerium
+      - name: Setup ASDF
+        uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47
+
+      - name: Update Tools
+        run: ./scripts/update-dependencies tools
+
+      - name: Update Pomerium Dependencies
+        run: ./scripts/update-dependencies pomerium
 
       - name: Generate
         run: make generate
 
-      - name: Check for changes
+      - name: Check for Changes
         id: git-diff
         run: |
           git config --global user.email "apparitor@users.noreply.github.com"
           git config --global user.name "GitHub Actions"
-          git add deps/github.com/pomerium
+          git add .
           git diff --cached --exit-code || echo "changed=true" >> $GITHUB_OUTPUT
 
       - name: Create Pull Request
         if: ${{ steps.git-diff.outputs.changed }} == 'true'
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412
         with:
           author: GitHub Actions <apparitor@users.noreply.github.com>
-          body: "This PR updates Pomerium Dependencies"
-          commit-message: "ci: update pomerium dependencies"
+          body: "This PR updates dependencies not managed by dependabot."
+          branch: ci/update-core
+          commit-message: "ci: update dependencies"
           delete-branch: true
           labels: ci
-          title: "ci: update pomerium dependencies"
+          title: "ci: update dependencies"
           token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}
@@ -0,0 +1 @@
+python 3.14.2
@@ -0,0 +1,58 @@
+#!/bin/bash
+set -euo pipefail
+
+_project_root="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/.."
+
+require-command() {
+	local _command="${1?"command is required"}"
+
+	if ! command -v "$_command" >/dev/null 2>&1; then
+		echo "$_command is required"
+		exit 1
+	fi
+}
+
+get-tool-version() {
+	local _tool="${1?"tool is required"}"
+
+	require-command asdf
+
+	asdf current --no-header "$_tool" | tr -s ' ' | cut -d ' ' -f2
+}
+
+update-pomerium() {
+	pushd "$_project_root"
+
+	git submodule update --remote deps/github.com/pomerium
+
+	popd
+}
+
+update-tools() {
+	pushd "$_project_root"
+
+	require-command asdf
+
+	asdf install python latest
+	asdf set python latest
+
+	popd
+}
+
+run() {
+	local _command="$1"
+	case "$_command" in
+	pomerium)
+		update-pomerium
+		;;
+	tools)
+		update-tools
+		;;
+	*)
+		echo "unknown command $_command"
+		exit 1
+		;;
+	esac
+}
+
+run "${1?'command is required'}"
+11 −10		.github/workflows/update-dependencies.yaml
+1 −1		deps/github.com/pomerium/pomerium-console
+27 −0		scripts/update-dependencies